'\" t
.\"     Title: clevis-luks-regen
.\"    Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: 03/30/2024
.\"    Manual: \ \&
.\"    Source: \ \&
.\"  Language: English
.\"
.TH "CLEVIS\-LUKS\-REGEN" "1" "03/30/2024" "\ \&" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
clevis-luks-regen \- Regenerates a clevis binding
.SH "SYNOPSIS"
.sp
\fBclevis luks regen\fR [\-q] \-d DEV \-s SLT
.SH "OVERVIEW"
.sp
The \fBclevis luks regen\fR command regenerates the clevis binding for a given slot in a LUKS device, using the same configuration of the existing binding\&. Its operation can be compared to performing \fBclevis luks unbind\fR and \fBclevis luks bind\fR for rebinding said slot and device\&. This is useful when rotating tang keys\&.
.SH "OPTIONS"
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fB\-d\fR
\fIDEV\fR
: The bound LUKS device
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fB\-s\fR
\fISLT\fR
: The slot or key slot number for rebinding\&. Note that it requires that such slot is currently bound by clevis\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fB\-q\fR: Do not prompt for confirmation\&.
.RE
.SH "EXAMPLE"
.sp
.if n \{\
.RS 4
.\}
.nf
Let\*(Aqs start by using clevis luks list to see the current binding configuration in /dev/sda1:
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.RS 4
.\}
.nf
# clevis luks list \-d /dev/sda1
1: tang \*(Aq{"url":"http://tang\&.server"}\*(Aq
2: tpm2 \*(Aq{"hash":"sha256","key":"ecc"}\*(Aq
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.RS 4
.\}
.nf
We see that slot 1 in /dev/sda1 has a tang binding with the following configuration:
\*(Aq{"url":"http://tang\&.server"}\*(Aq
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.RS 4
.\}
.nf
Now let\*(Aqs do the rebinding of slot 1:
# clevis luks regen \-d /dev/sda1 \-s 1
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.RS 4
.\}
.nf
After a successful operation, we will have the new binding using the same configuration that was already in place\&.
.fi
.if n \{\
.RE
.\}
.SH "SEE ALSO"
.sp
\fBclevis\-luks\-list\fR(1) \fBclevis\-luks\-bind\fR(1) \fBclevis\-luks\-unbind\fR(1)